Advanced Hunting

• Building a Brute Force Detection Query: How To Think Through Network Logon Failures

Show more →

Alert Tuning

• Fixing Microsoft's Azure Brute Force Detection: Why Their Template Fires Constantly (And What You Should Change)

Show more →

Analytic Rules

• Microsoft Sentinel: From Logs to Alerts - Creating Your First Analytic Rule

• How to Bulk Enable All Sentinel Analytic Rules (The Easy Way)

• Beyond the Basics: Forging Your Own Custom Detections in Defender XDR

• The KQL Playbook (Play #2): Mastering the Matching Game

• Fixing Microsoft's Azure Brute Force Detection: Why Their Template Fires Constantly (And What You Should Change)

Show more →

App Governance

• App Governance in Defender for Cloud Apps: Your OAuth App Security Command Centre

Show more →

Attack Path Analysis

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

• Continuous Export to Log Analytics: Getting Defender for Cloud Data Where You Need It

Show more →

Automation

• Microsoft Sentinel: Let the Robots Do the Work - Your First Automation Playbook

• How to Bulk Enable All Sentinel Analytic Rules (The Easy Way)

• Microsoft Sentinel: How to Nuke a Noisy Incident Queue

• Microsoft Sentinel Rule Tuning: Kick the Noise, Keep the Signal

• Herding Cats with Sentinel: An In-Depth Guide to Workspace Manager

Show more →

AWS Security

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

• Connecting Your Environment to Defender for Cloud: Azure, AWS, GCP, and On-Premises

Show more →

Azure

• So You've Deployed Sentinel. Now What? A Guide to Data Connectors

Show more →

Azure Arc

• Connecting Your Environment to Defender for Cloud: Azure, AWS, GCP, and On-Premises

Show more →

Azure Security

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

• Connecting Your Environment to Defender for Cloud: Azure, AWS, GCP, and On-Premises

Show more →

Career Advice

• How to Nail Your First SOC Analyst Interview (Professor's Notes)

• MSSP SOC Analyst Interviews (Microsoft Stack): The questions you’ll actually get -and the answers I’d actually give

Show more →

CASB

• A SOC Analyst's Introduction to Defender for Cloud Apps

• App Governance in Defender for Cloud Apps: Your OAuth App Security Command Centre

Show more →

Cheatsheet

• Hunting Ransomware in Storage Accounts (When You Can't Afford Defender)

Show more →

Cloud Compliance

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

Show more →

Cost Optimisation

• Sentinel on a Budget: How to Tame Your Log Costs

• Sentinel's Endgame Gear: Sentinel Data Lake

• Sentinel's Built-in Consultant: An In-Depth Guide to SOC Optimization

• The "Undo" Button for Sentinel Logs: An In-Depth Guide to Purging Data

• Post-Deployment Sentinel and Defender XDR: You're Not Done Yet

Show more →

Data Connectors

• So You've Deployed Sentinel. Now What? A Guide to Data Connectors

• Post-Deployment Sentinel and Defender XDR: You're Not Done Yet

Show more →

Defender for Office 365

• Attack Simulation Training in Microsoft Defender for Office 365

• Is Defender for Office 365 worth it?

Show more →

Defender XDR

• Post-Deployment Sentinel and Defender XDR: You're Not Done Yet

Show more →

GCP Security

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

• Connecting Your Environment to Defender for Cloud: Azure, AWS, GCP, and On-Premises

Show more →

Getting Started

• How to create Microsoft Sentinel

• So You've Deployed Sentinel. Now What? A Guide to Data Connectors

• Microsoft Sentinel: From Logs to Alerts - Creating Your First Analytic Rule

• Microsoft Sentinel: An Incident Just Fired. Now What? (A Beginner's Guide to Investigation)

• The KQL Playbook (Play #2): Mastering the Matching Game

Show more →

Incident Response

• Microsoft Sentinel: An Incident Just Fired. Now What? (A Beginner's Guide to Investigation)

• Microsoft Threat Intelligence: Giving Your Sentinel a Brain

• Hunting Ransomware in Storage Accounts (When You Can't Afford Defender)

• Beyond the Basics: Forging Your Own Custom Detections in Defender XDR

Show more →

Interview Prep

• How to Nail Your First SOC Analyst Interview (Professor's Notes)

• MSSP SOC Analyst Interviews (Microsoft Stack): The questions you’ll actually get -and the answers I’d actually give

Show more →

KQL

• Microsoft Sentinel: From Logs to Alerts - Creating Your First Analytic Rule

• Microsoft Sentinel: An Incident Just Fired. Now What? (A Beginner's Guide to Investigation)

• The KQL Playbook (Play #1): A Beginner's Guide to Talking to Your Data

• Microsoft Sentinel's Secret Weapon: Your First Watchlist

• Microsoft Sentinel Rule Tuning: Kick the Noise, Keep the Signal

Show more →

KQL Playbook

• The KQL Playbook (Play #4): The Correlation Play - Joining Tables and Enriching Data

• The KQL Playbook (Play #5): The Anomaly Play - Finding the 'Weird'

• The KQL User Audit Playbook: Your Template for Investigations

Show more →

Learning KQL

• Building a Brute Force Detection Query: How To Think Through Network Logon Failures

Show more →

Logic Apps

• Microsoft Sentinel: Let the Robots Do the Work - Your First Automation Playbook

• The "Undo" Button for Sentinel Logs: An In-Depth Guide to Purging Data

• The Self-Updating Watchlist: Automating Sentinel with Logic Apps & Graph API

Show more →

MDCA

• A SOC Analyst's Introduction to Defender for Cloud Apps

• Mastering Policies in Defender for Cloud Apps: A Deep Dive for the SOC Trenches

• App Governance in Defender for Cloud Apps: Your OAuth App Security Command Centre

Show more →

Microsoft Defender for Cloud Apps

• A SOC Analyst's Introduction to Defender for Cloud Apps

• Mastering Policies in Defender for Cloud Apps: A Deep Dive for the SOC Trenches

• App Governance in Defender for Cloud Apps: Your OAuth App Security Command Centre

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

• Connecting Your Environment to Defender for Cloud: Azure, AWS, GCP, and On-Premises

Show more →

Microsoft Sentinel

• How to create Microsoft Sentinel

• A Day in the Life of a SOC Analyst

• So You've Deployed Sentinel. Now What? A Guide to Data Connectors

• Microsoft Sentinel: From Logs to Alerts - Creating Your First Analytic Rule

• Microsoft Sentinel: An Incident Just Fired. Now What? (A Beginner's Guide to Investigation)

Show more →

MSSP

• A Day in the Life of a SOC Analyst

• MSSP SOC Analyst Interviews (Microsoft Stack): The questions you’ll actually get -and the answers I’d actually give

Show more →

OAuth Security

• App Governance in Defender for Cloud Apps: Your OAuth App Security Command Centre

Show more →

Phishing

• Attack Simulation Training in Microsoft Defender for Office 365

Show more →

Playbook

• Microsoft Sentinel: Let the Robots Do the Work - Your First Automation Playbook

Show more →

PowerShell

• How to Bulk Enable All Sentinel Analytic Rules (The Easy Way)

• Microsoft Sentinel: How to Nuke a Noisy Incident Queue

Show more →

Rule Tuning

• Microsoft Sentinel Rule Tuning: Kick the Noise, Keep the Signal

Show more →

Security Operations

• A Day in the Life of a SOC Analyst

• Microsoft Sentinel: How to Nuke a Noisy Incident Queue

• MSSP SOC Analyst Interviews (Microsoft Stack): The questions you’ll actually get -and the answers I’d actually give

• The KQL Playbook (Play #2): Mastering the Matching Game

• The KQL Playbook (Play #5): The Anomaly Play - Finding the 'Weird'

Show more →

Sentinel Tuning

• Post-Deployment Sentinel and Defender XDR: You're Not Done Yet

Show more →

Shadow IT

• A SOC Analyst's Introduction to Defender for Cloud Apps

• App Governance in Defender for Cloud Apps: Your OAuth App Security Command Centre

Show more →

SOC

• How to Nail Your First SOC Analyst Interview (Professor's Notes)

• A Day in the Life of a SOC Analyst

• Microsoft Sentinel: How to Nuke a Noisy Incident Queue

• MSSP SOC Analyst Interviews (Microsoft Stack): The questions you’ll actually get -and the answers I’d actually give

• Microsoft Threat Intelligence: Giving Your Sentinel a Brain

Show more →

SOC Operations

• Why You Actually Need Microsoft Defender for Cloud (And What It Actually Does)

• Continuous Export to Log Analytics: Getting Defender for Cloud Data Where You Need It

• Attack Simulation Training in Microsoft Defender for Office 365

• Building a Brute Force Detection Query: How To Think Through Network Logon Failures

• Is Defender for Office 365 worth it?

Show more →

Threat Hunting

• The KQL Playbook (Play #1): A Beginner's Guide to Talking to Your Data

• Sentinel's Endgame Gear: Sentinel Data Lake

• Microsoft Threat Intelligence: Giving Your Sentinel a Brain

• Hunting Ransomware in Storage Accounts (When You Can't Afford Defender)

• The KQL Playbook (Play #3): Mastering Strings, Timestamps, and Ugly JSON

Show more →

UEBA

• UEBA in Microsoft Sentinel: Stop Wasting Time on Behavioral Analytics

Show more →

Watchlist

• Microsoft Sentinel's Secret Weapon: Your First Watchlist

• The Self-Updating Watchlist: Automating Sentinel with Logic Apps & Graph API

Show more →